In November we wrote that Moody’s announcing it intended to consider cybersecurity and cyber risk in financial ratings was the Trifecta of Board of Director centric cybersecurity developments, with the first being CEO and CISO firings in the wake of high profile events of recent years, and the second being the SEC’s updated guidance on how companies should understand and disclose cyber risk. Any doubt about the significance of that announcement no longer exists, as Moody’s has acted on its word and downgraded Equifax’s outlook from “Stable” to “Negative,” based primarily on concerns about Equifax’s cybersecurity.
While Moody’s has reaffirmed Equifax’s previous credit rating of Baa1, a change in the financial outlook could portend further action, and a possible downgrade of this rating. If this were to happen, borrowing costs on its $1.1B revolving credit facility could quickly be impacted.
Either way, this consequence cuts to the core of Board of Director fiduciary responsibilities and underscores why Boards need not only pay attention to cybersecurity, but also demand that business and security leaders manage cybersecurity in a manner that can withstand similar adverse actions.
This action is not isolated and is further evidence that Moody’s is following through on its November announcement to actively consider building cyber risk into its credit ratings. It is the first known instance of Moody’s downgrading a company’s outlook, but Moody’s has also recently recognized positive behavior – in December of 2018 it recognized the American Public Power Association’s cybersecurity efforts as a factor in maintaining a “stable” rating on the public power sector for 2019.
What is concerning about the Equifax announcement is the underlying implication – while the intermediate financial impact of the event and cost of improvements can’t be disputed (Moody’s specifically notes the breach costs plus major increased spending for cybersecurity), the downgrade does seem to imply continuing concerns about Equifax’s cybersecurity maturity and ability to manage the risk effectively.
At this point in time, given the major scrutiny that Equifax has been under and the likelihood that cybersecurity leadership has a blank check from management, it would seem reasonable to expect the opposite – that Equifax would be on the path to making itself a poster child for cybersecurity and recognized accordingly. That not being the case, it’s not unfair to interpret the downgrade as further recognizing that Equifax’s cybersecurity problems are more deeply rooted and will take far longer to remedy. Equifax’s approach to cybersecurity and cyber risk was probably flawed and needs to be entirely rebuilt.
The Days of “Green”, “Yellow” and “Red” are Behind Us
Whether or not that is true for Equifax, it is for many organizations in our experience. Gone are the days of being able to rely disproportionately on technology controls, point-in-time assessments with “green,” “yellow,” and “red” indicators of security, and buying insurance based on peer benchmarking reports provided by insurance brokers (Equifax has disclosed that it purchased $125M of cyber insurance, an amount quite inadequate relative to the cost of the event). That’s the real lesson here for Boards of Directors as they struggle to tackle cybersecurity and fulfill their duty of care responsibilities – managing cybersecurity according to the old paradigm risks the real possibility of a negative action by Moody’s or the other financial rating agencies, especially in the aftermath of an event when a rating downgrade is effectively pouring salt into a wound.
Luckily, achieving appropriate cybersecurity understanding and maturity is very available today, presumably in a way that could be used to answer any questions raised by Moody’s and others.
1. Understand your cyber risk exposure as it relates to the business and in financial terms.
The first step is to consider what a cyber event would look life if it occurred in your organization. Brainstorm scenarios based on what you do, how you use technology, and what the impact of that technology failing might be. As yourself questions similar to the following:
- Could there be a data breach?
- Could there be a business interruption due to system outages?
- Could somebody dupe one of your treasury staff into wiring money to a fraudulent account?
- Could a hack into your process control technology cause tangible damage and bodily injury?
Take a sample of these scenarios and get various operational and functional experts to contribute their knowledge to estimate the impact of those events. If Moody’s independently attempts to estimate your financial exposure to a catastrophic cyber event, gaining this knowledge will be useful as they simply won’t be able to achieve the same level of accuracy without knowing how the organization ticks on a daily basis. You can utilize this knowledge to your advantage and prepare your organization.
2. Aligning scenarios with a maturity based cyber program management model to generate understandable insights.
Use models such as the NIST Cybersecurity Framework (CSF) or the Cybersecurity Capability Maturity Model (C2M2), align it with the scenarios that you’ve quantified in step one, and ensure that your resulting insights are reported to the Board in an understandable way. Use a maturity-based approach because it recognizes that cyber risk is dynamic and managing it is a 24/7 endeavor. Compliance frameworks and standards, on the other hand, won’t ever go away but all too often produce a false sense of confidence once the checklist is complete and the compliance framework met. Align the methodology with the scenarios to connect the cybersecurity program with the business, a critical link for Boards for effectively understanding the cyber program. Further, it is the best way to align the universe of controls and technologies with the areas of greatest risk, providing additional evidence for folks like Moody’s that you are focused on appropriately protecting the long-term health of the organization.
3. Preparing the resources to recover from a significant event.
At the end of the day, everything translates into financial terms. It’s important to maintain the right balance of financial reserves and insurance to pay for much or all of the forensics costs, notification requirements, lost revenue, stolen funds, legal fees and liabilities, repair costs or replacement of damaged assets, and others. Get a reasonable idea of what those costs might be by referring to Step 1.
4. Evidence all of the aforementioned components with peer benchmarking and best practices insight.
Cyber risk is incredibly dynamic, and traditional means of risk management (such as complying with standards or achieving certifications) can only serve as a baseline, so benchmarking and best practices insight can be the best way to prove cybersecurity maturity. Is your cyber exposure in line with or more favorable than that of your peers? Is your cyber program in line with or more favorable than that of your peers?
Put it all together and a Board of Directors can confidently and continuously validate that the organization is meeting its fiduciary responsibility for managing cyber risk: “We understand our exposure, we’re managing the risk as effectively as possible, we have the ability and financial resources to recover from a major event, and we can provide evidence.”